x/vulndb: potential Go vuln in github.com/charmbracelet/soft-serve: CVE-2024-41956

[GoVulnBot]

Advisory CVE-2024-41956 references a vulnerability in the following Go modules:

Module
github.com/charmbracelet/soft-serve

Description:
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-41956
• FIX: charmbracelet/soft-serve@4daebdd
• WEB: GHSA-m445-w3xr-vp2f

Cross references:

• github.com/charmbracelet/soft-serve appears in 1 other report(s):
  • data/excluded/GO-2023-2097.yaml (x/vulndb: potential Go vuln in github.com/charmbracelet/soft-serve: GHSA-mc97-99j4-vm2v #2097) EFFECTIVELY_PRIVATE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/charmbracelet/soft-serve
      vulnerable_at: 0.7.6
summary: CVE-2024-41956 in github.com/charmbracelet/soft-serve
cves:
    - CVE-2024-41956
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-41956
    - fix: https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184
    - web: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f
source:
    id: CVE-2024-41956
    created: 2024-08-02T00:01:17.469118722Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports